Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 29 Mar 2024 10:02:14 -0700
From:      Gordon Tetlow <gordon@tetlows.org>
To:        freebsd-security@freebsd.org
Subject:   Disclosed backdoor in xz releases - FreeBSD not affected
Message-ID:  <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org>
next in thread | raw e-mail | index | archive | help 

--Apple-Mail=_D510A1C2-04ED-405C-BD7F-1B69B0B800CB
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

FreeBSD is not affected by the recently announced backdoor included in =
the 5.6.0 and 5.6.1 xz releases.

All supported FreeBSD releases include versions of xz that predate the =
affected releases.

The main, stable/14, and stable/13 branches do include the affected =
version (5.6.0), but the backdoor components were excluded from the =
vendor import. Additionally, FreeBSD does not use the upstream's build =
tooling, which was a required part of the attack. Lastly, the attack =
specifically targeted x86_64 Linux systems using glibc.

The FreeBSD ports collection does not include xz/liblzma.

Reference:
https://www.openwall.com/lists/oss-security/2024/03/29/4

Best regards,
Gordon Tetlow
Hat: security-officer=

--Apple-Mail=_D510A1C2-04ED-405C-BD7F-1B69B0B800CB
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmYG9BYACgkQ5fe8y6O9
3fiA6Qf/Y0LUoDzuUOc38MX4MkdulNP3BT1BXqbid7QgbetS/HswzsYumESiOtDh
cO8kmSCw9tPuJZ2U0KjycxMRt9JbmxOShpZPFu/UW7HR1BbjkcZKijvVbprL/3QK
FsUHO/4knFQnX2y/3XGtD87zZ4kvEBEn1claWcCoPsoSTgbBMjyUVKTqsW0hY5bn
05sx6K6TjMJwMyBr1NEKCyZLS2UWLobtdGFettW1vXObYI4Nr9ONHBg0VU4wMyO9
SEOjVcB2evCdmdxOuiOtPlwxiTBAOXPSU9M3a+w8qsdxW3mHxsFp3yb3qD7G2ZWA
CCu/vxvUZvNAU0F+Ga2WKTBMTzV80A==
=r6An
-----END PGP SIGNATURE-----

--Apple-Mail=_D510A1C2-04ED-405C-BD7F-1B69B0B800CB--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1C17C92B-AFC2-4B7A-9594-25864156A546>